New on RIPE Labs: Is Your ISP Hijacking Your DNS Traffic?
Dear colleagues, Please find a new article by Babak Farrokhi on RIPE Labs: Is your ISP Hijacking your DNS Traffic? https://labs.ripe.net/Members/babak_farrokhi/is-your-isp-hijacking-your-dns-traffic?pk_campaign=labs&pk_kwd=list-dnswg Kind regards, Mirjam Kuehne RIPE NCC
Hi, You wrote:
You can’t blame your service provider for hijacking your DNS traffic or running DPI on their network these days. In fact most of them use DPI to some extent for various reasons.
Yes, I would blame my ISP for that. That's something I wouldn't expect as a customer (and I don't want it). Some ISPs with Carrier NATed IPv4 are setting up transparent SIP proxies for circumvention of NAT problems caused by multiple NAT on carrier side. It regulary happens that SIP registration or SIP calls won't work because of... Yes, no one knows because the SIP proxy is doing weird stuff and preventing customers from using SIP with any provider in the world. When your provider has a slight problem with his DNS-Layer7-Filtering-Proxy you won't be able to use *any* DNS resolver. Even if the ISP is filtering some "evil" DNS requests (perhaps something used by trojans) the ISP shall do this on his own DNS resolvers, but not intercepting network traffic. You've done your experiment with UDP - does the ISPs interception also work when you use TCP für connecting to a DNS server? And what answer do you get when asking for "whoami.akamai.net"? You'll get an A record with the IP address of the client that asked the authoritative DNS server. What your tunnel provider probably is doing is to ensure that you are not leaking your IP address to external DNS resolvers, maybe for privacy reasons or to circumvent geoblocking attempts used by (for example) Netflix. But also in this case this is really scary... Greetings Max Am 06.07.2016 um 12:55 schrieb Mirjam Kuehne:
Dear colleagues,
Please find a new article by Babak Farrokhi on RIPE Labs:
Is your ISP Hijacking your DNS Traffic?
Kind regards, Mirjam Kuehne RIPE NCC
On 6 Jul 2016, at 13:21, Max Grobecker <max.grobecker@ml.grobecker.info> wrote:
You wrote:
You can’t blame your service provider for hijacking your DNS traffic or running DPI on their network these days. In fact most of them use DPI to some extent for various reasons.
Yes, I would blame my ISP for that. That's something I wouldn't expect as a customer
Better check the small print of your contract with the ISP. Unless you’re living in a banana republic, your ISP will very likely be complying with laws that prevent access to illegal content. That generally means deploying things like DPI and policy-based DNS rewriting. Whether or not ISPs deserve to be blamed for that is another matter.
Den 2016-07-06 kl. 15:26, skrev Jim Reid:
Unless you’re living in a banana republic, your ISP will very likely be complying with laws that prevent access to illegal content.
Well. Some of us might think that, that is the definition of living in a banana republic. -- Bengt Gördén Resilans AB
On 6 Jul 2016, at 13:21, Max Grobecker <max.grobecker@ml.grobecker.info> wrote:
You wrote:
You can’t blame your service provider for hijacking your DNS traffic or running DPI on their network these days. In fact most of them use DPI to some extent for various reasons.
Yes, I would blame my ISP for that. That's something I wouldn't expect as a customer
Better check the small print of your contract with the ISP. Unless you’re living in a banana republic, your ISP will very likely be complying with laws that prevent access to illegal content. That generally means deploying things like DPI and policy-based DNS rewriting. Whether or not ISPs deserve to be blamed for that is another matter.
Even if they are not doing it on a permanent basis, there are odds that they have target/user based policies for DPI based policies.
Hi,
Op 6 jul. 2016, om 15:26 heeft Jim Reid <jim@rfc1035.com> het volgende geschreven:
On 6 Jul 2016, at 13:21, Max Grobecker <max.grobecker@ml.grobecker.info> wrote:
You wrote:
You can’t blame your service provider for hijacking your DNS traffic or running DPI on their network these days. In fact most of them use DPI to some extent for various reasons.
Yes, I would blame my ISP for that. That's something I wouldn't expect as a customer
Better check the small print of your contract with the ISP. Unless you’re living in a banana republic, your ISP will very likely be complying with laws that prevent access to illegal content. That generally means deploying things like DPI and policy-based DNS rewriting. Whether or not ISPs deserve to be blamed for that is another matter.
I am so glad that net-neutrality and privacy rules explicitly prevent Dutch ISPs from doing DPI and messing with my traffic like that :-) I just hope it stays that way and politicians aim for a balanced approach. The trend seems to be to mess with citizens' rights more and more no matter how useful/useless it actually is :-( Cheers, Sander
Am 06.07.2016 um 15:26 schrieb Jim Reid:
Yes, I would blame my ISP for that. That's something I wouldn't expect as a customer
Better check the small print of your contract with the ISP. Unless you’re living in a banana republic, your ISP will very likely be complying with laws that prevent access to illegal content. That generally means deploying things like DPI and policy-based DNS rewriting. Whether or not ISPs deserve to be blamed for that is another matter.
"Do not do illegal stuff with your internet connection" and "We will hijack your DNS requests (and maybe other services, too) just to make sure you don't do illegal stuff" are two completely different things. Of course, the contract with my ISP (in my case Deutsche Telekom) contains paragraphs that make me fully liable to anything I do with my internet connection, including illegal file sharing, hacking attacks or whatever. But they won't finger in my data traffic. The worst thing that can happen to you is that they block port 25/TCP on your connection if you're sending SPAM. And on the other hand: As soon as the ISP proves that he is capable of transparently manipulating my internet traffic, this would lead to the big question: Could I ever be liable for anything I've allegedly done on my internet connection? Or was it done by my ISP who manipulated my traffic? That'd be an interesting question if you are in front of a judge... And as Sander Steffann pointed out: Privacy laws are prohibiting this kind of data analysis and manipulation in many european countries. Greetings Max
On 6 Jul 2016, at 20:36, Max Grobecker <max.grobecker@ml.grobecker.info> wrote:
"Do not do illegal stuff with your internet connection" and "We will hijack your DNS requests (and maybe other services, too) just to make sure you don't do illegal stuff" are two completely different things.
Indeed. And sometimes ISPs hijack DNS traffic (or whatever) even when there’s nothing untoward going on: think stupid hotel and coffee shop networks for instance. My point remains though. Unless your contract and national law explicitly says the ISP never rewrites DNS responses, you shouldn’t assume it doesn’t happen. And even if those legal documents did say this, that doesn’t necessarily mean DNS rewriting doesn’t happen either. FWIW this is one reason why all my computers run their own validating resolvers. :-)
Of course, the contract with my ISP (in my case Deutsche Telekom) contains paragraphs that make me fully liable to anything I do with my internet connection, including illegal file sharing, hacking attacks or whatever. But they won't finger in my data traffic.
Your contract might not explicitly say that Max. But I expect the small print will say somewhere that DT has the right to do things to your service if they consider your use of their interwebs to be naughty or harms others or is blocked by court order, blah, blah, blah. Those contractual provisions will go beyond holding you liable after the fact: eg blocking port 25 if they decide you're sending spam. As you’ve just pointed out.
The worst thing that can happen to you is that they block port 25/TCP on your connection if you're sending SPAM.
Hmmm. I wonder what would happen if you tried to visit a child abuse web site or something that was similarly illegal in Germany? [It doesn’t matter where that content happens to be hosted BTW.] And please note I am not suggesting you actually test this.
On 2016-07-06 14:21:53 CET, Max Grobecker wrote:
And what answer do you get when asking for "whoami.akamai.net"? You'll get an A record with the IP address of the client that asked the authoritative DNS server.
It seems [1] that 10 probes out of 972, when asked for whoami.akamai.net via 8.8.8.8, receive an IP address not mentioned in Google Public DNS FAQ [2]. 1] rough edges analysis of RIPE Atlas msm 4454125, please take it with a grain of salt! 2] https://developers.google.com/speed/public-dns/faq#support Pier Carlo Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
participants (7)
-
Babak Farrokhi -
Bengt Gördén -
Jim Reid -
Max Grobecker -
Mirjam Kuehne -
Pier Carlo Chiodi -
Sander Steffann